Ransomware used to be discussed as a technical incident. An infection happened, systems were hit, the security team responded, and the recovery plan kicked in. That framing no longer holds. In today’s environment, ransomware lands as a business crisis from the very first hour. It raises questions not just about containment, but about continuity, governance, legal exposure, regulatory reporting, reputational damage, and whether leadership is prepared to act under extreme uncertainty.
The first real question is not attribution. It is recoverability
For Manoj Nayak, CISO, SBI Life Insurance, the core issue is straightforward: “Recoverability is the most important thing.” In his telling, the first board-level question is rarely about malware families or threat actors. It is whether the organization can recover its data, restore critical operations, and keep the business moving when the timing is worst possible. His example is telling. Imagine an annual general meeting looming the next day and the supporting data getting encrypted overnight. At that point, the cyber event becomes an enterprise event.
That is why Nayak places so much weight on readiness before the incident. Immutable backups matter, but so do tested recovery strategies, alignment to RTO and RPO, and what Gartner now frames as minimum business viability. A recovery plan that exists only on paper is not resilience. It is documentation.
The first ten minutes shape the next twenty days
Srinivasan B, VP & National Head – Information Security Compliance & Audit, Muthoot Fincorp, brings the focus to leadership conduct in the opening minutes. “Even if you are not confident, show you are confident,” he says. The point is not performance for its own sake. It is about creating enough calm and structure for the organization to think clearly. In those first moments, leadership needs triage, not blame. What is the likely impact? What may be exposed? What can still run? What is the downtime outlook? What are the fallback options?
That is where rehearsals start to matter. Tabletop exercises, crisis scripts, legal coordination, and communication playbooks are often treated as secondary compared with tools and controls. In practice, they decide whether the organization responds like a team or like a crowd.
The pressure is rising faster than most organizations admit
The threat itself is not standing still. Amit Joshi, Group CISO, Hindalco Industries, points to a broader shift in the threat landscape, where ransomware now sits alongside AI-driven attacks, deepfakes, and future-facing risks such as quantum disruption. The attackers are also becoming more targeted. “They target specifics,” he says, including senior leaders and high-value pressure points, with the aim of causing maximum impact.
That makes ransomware harder to treat as a narrow cyber problem. It is increasingly part of a wider risk environment where identity, trust, leadership decisions, and external perception all get tested together.
Readiness fails when governance turns into routine
That is why Pradipta Patro, Head of Cyber Security & IT Platform, RPG Group, warns against mistaking documented preparedness for real preparedness. In his view, “practical and theories are completely too different.” Control frameworks, runbooks, and incident plans matter, but when the event is live the enterprise discovers what is actually usable and what is ceremonial. His point is that confidence comes less from paperwork and more from disciplined drills, real simulations, and foundations that are operationally visible.
The hardest decision, of course, remains the one that no organization wants to face directly. To pay or not to pay. The answers from the security side remain clear. The instinct is overwhelmingly against payment. But that only sharpens the real lesson. If recoverability is weak, governance is loose, and crisis readiness is shallow, the organization will reach that decision point in a far more vulnerable state than it should.
Ransomware, then, is no longer just a test of defense. It is a test of executive readiness.
Disclaimer: The views expressed are solely those of the speakers and have been taken from the ETCISO Secufest 2026. ETCISO does not necessarily subscribe to them.
(With inputs from Swati Sengupta).
